[zeromq-dev] EncryptedSocket added to pyzmq in branch

[Brian Granger]

Hi,

As original poster, I think I did a poor job of clarifying exactly
what we are seeking feedback on.  Let me attempt that now and
summarize where we are at in our collective thinking on this issue....

1.  Is the EncryptedSocket interface that Min has prototyped in his
branch a good plugin interface for users to add message based
encryption of their choice.

I think that once everyone understood that Min's prototype leaves the
choice of cryptographic approach up the user, they became more
comfortable with the design.  It does not pick or enforce a particular
encryption approach.  But, one valid point made is that the interface
does not force users of pyzmq to handle encryption in a correct
manner.  They might do it well, or they might do something very
insecure.  This is important...

2.  Is the idea of message based security worth pursuing?

I think Min's recent email summarizes the differences between message
based and transport based security:

Transport: encrypt/decrypt happen at each zmq hop
Message: only decrypt at endpoints (big deal for many relay hops)
Transport: always encrypt everything
Message: can encrypt only the sensitive subset of traffic

3.  What type of cryptographic approach is appropriate for message
based security.

Baruk has made the excellent point that data integrity and
authenticity is important in addition to data privacy.  I heartily
agree with this.  Another way of saying this is that if your
application and data stream is sensitive to data corruption (malicious
or not), you can't just encrypt the data.  You also need to compute
message authentication codes using a keyed hash function (HMAC).  I
tried to make the point, that this is true whether a data stream is
encrypted or not.  This last point is important and is worth stopping
to emphasize:

* If you are using zeromq to send message that CANNOT be corrupted in
any way, you MUST do something to ensure message integrity and
authenticity.

Baruk has proposed that a suitable approach is to use HMAC (for
message authenticity+validation) along with something like AES for
encryption.  This is useful if key exchange/distribution can be
handled by an external protocol.  PGP should also be looked at.

Is this a good summary?

I have one other question:

What vulnerabilities remain if message based HMAC + AES security is
used?  In my mind, the main issue become how to distribute/exchange
keys.

Cheers,

Brian


-- 
Brian E. Granger, Ph.D.
Assistant Professor of Physics
Cal Poly State University, San Luis Obispo
bgranger at calpoly.edu
ellisonbg at gmail.com